Updates of IT data security and risk assessment standards

Kyle Cavanaugh, Senior Vice President for Administration
Marc Hoit, Interim CIO

The purpose of this memorandum is provide the campus community with information related to updated Information Technology (IT) standards and guidelines for data security and risk assessment (http://www.it.ufl.edu/policies/security/).

The new standards and guidelines have been developed in collaboration with the Information Technology Advisory Committees (ITAC), Privacy Office and the General Counsel and are in compliance with both recent audit recommendations and privacy related laws. All University of Florida units should adopt plans for immediate compliance with these regulations.

Data security standards identify faculty and staff roles and responsibilities for protecting private data. Use limitation standards describe private data classifications, location restrictions, storage and transmission requirements, encryption requirements, and training requirements. Guidelines are offered to help users and IT workers understand appropriate private data protections for e-mail, instant messaging, Web, laptops, PDAs, CD-ROMs, thumb drives, and other portable devices and media. Various data security training opportunities are offered by Human Resources, the Privacy Office and the Office of IT Security Management.

The IT risk assessment standard was updated to require that at least once every five years all campus units conduct a comprehensive IT risk assessment and transmit a mitigation strategy report to the UF Information Security Manager. Guidelines and Web tools are provided to assist units with their assessments. While IT workers will likely manage the assessments, it is vital that unit administration support and participate in the assessment process along with IT workers and other unit staff. Risk management training for IT workers has already begun. Units should submit their first mitigation strategy to the UF ISM, Kathy Bergsma (kbergsma@ufl.edu, 392-2061) by November 30, 2008.

While the standards addressed in this memo relate only to the use of private data on computing resources, it is expected that paper and other media containing private data will also be protected (http://privacy.ufl.edu/). UF also expects similar measures will be implemented for other sensitive data that must also be protected.

Enforcement of these and all UF IT security regulations is described in the UF IT Security Charter at http://www.it.ufl.edu/policies/security/uf-it-sec-charter.html#enforcement. To review changes planned for other IT security regulations, see http://www.it.ufl.edu/policies/security/drafts.html.

The University of Florida takes very seriously the protection of private data used throughout campus. The UF Interim Chief Information Officer and the UF Chief Privacy Officer will continue to update the UF community on information technology standards relating to use of UF private data on computing and networking resources.